Analysis
-
max time kernel
129s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 06:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0fff010a04942a3cabfa35744cc5d70_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a0fff010a04942a3cabfa35744cc5d70_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a0fff010a04942a3cabfa35744cc5d70_NeikiAnalytics.exe
-
Size
483KB
-
MD5
a0fff010a04942a3cabfa35744cc5d70
-
SHA1
d800db1a15268cec8172b2e9721c3da58f0a57ea
-
SHA256
0d6c06ab774442488aac4ac448de97eab600cc8507e277e2db124ac899eb0a1e
-
SHA512
0f75eed391f9858b58dcc46beb088c53e2f9e0c7eafe779fb98e28c943d89e1a5f054face090ac6b182d144fa18b08640489441113504e5524398bba26bae0e8
-
SSDEEP
6144:G74FLsUpjKtFy5v1k3RMZebBDRMZebBGzxUur/THL1k3RMZebBvG0NPhGcRPTDpJ:C4JAtY5vARM0RM/3ARMSG0dhvARMoHG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andgoobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlncan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgneampk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhbgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colffknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljcmlfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofdacke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibnhjgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekemhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednaqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdqgmmjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokdeeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hioiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oponmilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphmie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgqln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flceckoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllpbldb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenamdem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpagm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbifelba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbaipkbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogifjcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpepcedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciobn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnkdhpjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdialn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhonj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmelbid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdiooblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohoigfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkagbej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbeidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcefno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjffddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffgqqaip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdghh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfpobpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obidhaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkjpgfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchomn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkdcie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbifelba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkjlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcojed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfoeega.exe -
Executes dropped EXE 64 IoCs
pid Process 1304 Ifhiib32.exe 3772 Iiffen32.exe 4972 Ipqnahgf.exe 956 Icljbg32.exe 3716 Iiibkn32.exe 2004 Ipckgh32.exe 3540 Ibagcc32.exe 1400 Idacmfkj.exe 4244 Ijkljp32.exe 1860 Imihfl32.exe 2872 Jpgdbg32.exe 1628 Jbfpobpb.exe 436 Jiphkm32.exe 4632 Jbhmdbnp.exe 3996 Jaimbj32.exe 3016 Jbkjjblm.exe 2924 Jjbako32.exe 1672 Jaljgidl.exe 632 Jfhbppbc.exe 5064 Jangmibi.exe 3052 Jbocea32.exe 4980 Jkfkfohj.exe 2676 Kdopod32.exe 4720 Kkihknfg.exe 4380 Kpepcedo.exe 4108 Kaemnhla.exe 4324 Kphmie32.exe 4808 Kbfiep32.exe 1736 Kknafn32.exe 2492 Kagichjo.exe 4976 Kdffocib.exe 1424 Kgdbkohf.exe 1856 Kibnhjgj.exe 820 Kajfig32.exe 5072 Kckbqpnj.exe 4756 Kkbkamnl.exe 5108 Lmqgnhmp.exe 1096 Lpocjdld.exe 1932 Lcmofolg.exe 5116 Liggbi32.exe 1808 Laopdgcg.exe 4072 Ldmlpbbj.exe 3600 Lgkhlnbn.exe 4368 Laalifad.exe 1836 Ldohebqh.exe 616 Lgneampk.exe 4328 Lnhmng32.exe 1880 Laciofpa.exe 1168 Lgpagm32.exe 4588 Ljnnch32.exe 400 Lphfpbdi.exe 4604 Lcgblncm.exe 4820 Mnlfigcc.exe 1412 Mpkbebbf.exe 3632 Mciobn32.exe 3332 Mnocof32.exe 5044 Mcklgm32.exe 2940 Mjeddggd.exe 4320 Mamleegg.exe 2076 Mdkhapfj.exe 1876 Mcnhmm32.exe 3868 Mkepnjng.exe 4776 Maohkd32.exe 4988 Mdmegp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Enfioebm.dll Pnihcq32.exe File opened for modification C:\Windows\SysWOW64\Ehedfo32.exe Eefhjc32.exe File created C:\Windows\SysWOW64\Gblngpbd.exe Gcimkc32.exe File created C:\Windows\SysWOW64\Pjffbc32.exe Pkceffcd.exe File created C:\Windows\SysWOW64\Pjkolmml.dll Ffgqqaip.exe File opened for modification C:\Windows\SysWOW64\Iikhfg32.exe Ibqpimpl.exe File opened for modification C:\Windows\SysWOW64\Jaljgidl.exe Jjbako32.exe File opened for modification C:\Windows\SysWOW64\Nbmelbid.exe Njfmke32.exe File created C:\Windows\SysWOW64\Pkfhoiaf.dll Ojgbfocc.exe File created C:\Windows\SysWOW64\Chmeobkq.exe Cdainc32.exe File created C:\Windows\SysWOW64\Becbkfdh.dll Cbgbgj32.exe File opened for modification C:\Windows\SysWOW64\Ddpeoafg.exe Demecd32.exe File created C:\Windows\SysWOW64\Pgmcqggf.exe Pengdk32.exe File created C:\Windows\SysWOW64\Ocalcppo.dll Ecjhcg32.exe File created C:\Windows\SysWOW64\Ckijjqka.dll Lllcen32.exe File created C:\Windows\SysWOW64\Ickfifmb.dll Anogiicl.exe File created C:\Windows\SysWOW64\Ogjmdigk.exe Ndkahnhh.exe File created C:\Windows\SysWOW64\Aanjpk32.exe Anpncp32.exe File created C:\Windows\SysWOW64\Cddecc32.exe Ceaehfjj.exe File opened for modification C:\Windows\SysWOW64\Boepel32.exe Bkidenlg.exe File created C:\Windows\SysWOW64\Jiopcppf.dll Jbeidl32.exe File created C:\Windows\SysWOW64\Mnocof32.exe Mciobn32.exe File opened for modification C:\Windows\SysWOW64\Ocbddc32.exe Opdghh32.exe File created C:\Windows\SysWOW64\Fdnjgmle.exe Ffkjlp32.exe File created C:\Windows\SysWOW64\Gcgnkd32.dll Ncianepl.exe File created C:\Windows\SysWOW64\Bhgejlhj.dll Bhfonc32.exe File created C:\Windows\SysWOW64\Bgcomh32.dll Laalifad.exe File created C:\Windows\SysWOW64\Bkomqm32.dll Gcddpdpo.exe File created C:\Windows\SysWOW64\Bnlnon32.exe Bjpaooda.exe File created C:\Windows\SysWOW64\Mlilmlna.dll Iiffen32.exe File created C:\Windows\SysWOW64\Bmnjlc32.dll Ajfoiqll.exe File created C:\Windows\SysWOW64\Olgkhn32.dll Eeidoc32.exe File created C:\Windows\SysWOW64\Laalifad.exe Lgkhlnbn.exe File opened for modification C:\Windows\SysWOW64\Ogljjiei.exe Odnnnnfe.exe File created C:\Windows\SysWOW64\Eamhodmf.exe Ecjhcg32.exe File created C:\Windows\SysWOW64\Adopjh32.dll Ickchq32.exe File created C:\Windows\SysWOW64\Ghaddm32.dll Cajcbgml.exe File created C:\Windows\SysWOW64\Ifefimom.exe Ibjjhn32.exe File opened for modification C:\Windows\SysWOW64\Kdopod32.exe Jkfkfohj.exe File created C:\Windows\SysWOW64\Gidjfdep.dll Clbceo32.exe File created C:\Windows\SysWOW64\Liggbi32.exe Lcmofolg.exe File opened for modification C:\Windows\SysWOW64\Flceckoj.exe Fhgjblfq.exe File created C:\Windows\SysWOW64\Inpocg32.dll Kmkfhc32.exe File created C:\Windows\SysWOW64\Hffdjk32.dll Bnlnon32.exe File created C:\Windows\SysWOW64\Onhhamgg.exe Ognpebpj.exe File opened for modification C:\Windows\SysWOW64\Olkhmi32.exe Onhhamgg.exe File created C:\Windows\SysWOW64\Kbejge32.dll Bmngqdpj.exe File opened for modification C:\Windows\SysWOW64\Kpepcedo.exe Kkihknfg.exe File created C:\Windows\SysWOW64\Mdmegp32.exe Maohkd32.exe File created C:\Windows\SysWOW64\Odpjcm32.exe Oqdoboli.exe File created C:\Windows\SysWOW64\Doeiljfn.exe Dkjmlk32.exe File created C:\Windows\SysWOW64\Dhnnep32.exe Ddbbeade.exe File opened for modification C:\Windows\SysWOW64\Npmagine.exe Ncianepl.exe File opened for modification C:\Windows\SysWOW64\Bganhm32.exe Agoabn32.exe File opened for modification C:\Windows\SysWOW64\Kaemnhla.exe Kpepcedo.exe File created C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Bilonkon.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Pgioqq32.exe Pclgkb32.exe File opened for modification C:\Windows\SysWOW64\Pjffbc32.exe Pkceffcd.exe File opened for modification C:\Windows\SysWOW64\Aealah32.exe Aaepqjpd.exe File created C:\Windows\SysWOW64\Edbklofb.exe Eadopc32.exe File created C:\Windows\SysWOW64\Hbbdholl.exe Hcpclbfa.exe File created C:\Windows\SysWOW64\Fgcqbd32.dll Pndohaqe.exe File created C:\Windows\SysWOW64\Bbifelba.exe Bjbndobo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12332 5332 WerFault.exe 616 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaljgidl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doqpak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhgjblfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkjlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdiooblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miemjaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgdbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaooda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqlehck.dll" Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnfbohh.dll" Pabkdmpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpjphglm.dll" Bhdbhcck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daolnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajbcgdm.dll" Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlbaq32.dll" Gbbkaako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Melnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmabdibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhclbphg.dll" Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flceckoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikpaldog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpaeonmc.dll" Cbqlfkmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" Njljefql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffddka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoncahj.dll" Hfnphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndohaqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cajcbgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogmoeik.dll" Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okeieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjakp32.dll" Aldomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll" Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnicfelf.dll" Pagdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogmkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll" Jeklag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Medgncoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjpaooda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdainc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehgqln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llemdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll" Ncfdie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmkadgpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiibkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnjgmle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3676 wrote to memory of 1304 3676 a0fff010a04942a3cabfa35744cc5d70_NeikiAnalytics.exe 82 PID 3676 wrote to memory of 1304 3676 a0fff010a04942a3cabfa35744cc5d70_NeikiAnalytics.exe 82 PID 3676 wrote to memory of 1304 3676 a0fff010a04942a3cabfa35744cc5d70_NeikiAnalytics.exe 82 PID 1304 wrote to memory of 3772 1304 Ifhiib32.exe 83 PID 1304 wrote to memory of 3772 1304 Ifhiib32.exe 83 PID 1304 wrote to memory of 3772 1304 Ifhiib32.exe 83 PID 3772 wrote to memory of 4972 3772 Iiffen32.exe 84 PID 3772 wrote to memory of 4972 3772 Iiffen32.exe 84 PID 3772 wrote to memory of 4972 3772 Iiffen32.exe 84 PID 4972 wrote to memory of 956 4972 Ipqnahgf.exe 85 PID 4972 wrote to memory of 956 4972 Ipqnahgf.exe 85 PID 4972 wrote to memory of 956 4972 Ipqnahgf.exe 85 PID 956 wrote to memory of 3716 956 Icljbg32.exe 87 PID 956 wrote to memory of 3716 956 Icljbg32.exe 87 PID 956 wrote to memory of 3716 956 Icljbg32.exe 87 PID 3716 wrote to memory of 2004 3716 Iiibkn32.exe 88 PID 3716 wrote to memory of 2004 3716 Iiibkn32.exe 88 PID 3716 wrote to memory of 2004 3716 Iiibkn32.exe 88 PID 2004 wrote to memory of 3540 2004 Ipckgh32.exe 90 PID 2004 wrote to memory of 3540 2004 Ipckgh32.exe 90 PID 2004 wrote to memory of 3540 2004 Ipckgh32.exe 90 PID 3540 wrote to memory of 1400 3540 Ibagcc32.exe 91 PID 3540 wrote to memory of 1400 3540 Ibagcc32.exe 91 PID 3540 wrote to memory of 1400 3540 Ibagcc32.exe 91 PID 1400 wrote to memory of 4244 1400 Idacmfkj.exe 92 PID 1400 wrote to memory of 4244 1400 Idacmfkj.exe 92 PID 1400 wrote to memory of 4244 1400 Idacmfkj.exe 92 PID 4244 wrote to memory of 1860 4244 Ijkljp32.exe 93 PID 4244 wrote to memory of 1860 4244 Ijkljp32.exe 93 PID 4244 wrote to memory of 1860 4244 Ijkljp32.exe 93 PID 1860 wrote to memory of 2872 1860 Imihfl32.exe 94 PID 1860 wrote to memory of 2872 1860 Imihfl32.exe 94 PID 1860 wrote to memory of 2872 1860 Imihfl32.exe 94 PID 2872 wrote to memory of 1628 2872 Jpgdbg32.exe 95 PID 2872 wrote to memory of 1628 2872 Jpgdbg32.exe 95 PID 2872 wrote to memory of 1628 2872 Jpgdbg32.exe 95 PID 1628 wrote to memory of 436 1628 Jbfpobpb.exe 96 PID 1628 wrote to memory of 436 1628 Jbfpobpb.exe 96 PID 1628 wrote to memory of 436 1628 Jbfpobpb.exe 96 PID 436 wrote to memory of 4632 436 Jiphkm32.exe 97 PID 436 wrote to memory of 4632 436 Jiphkm32.exe 97 PID 436 wrote to memory of 4632 436 Jiphkm32.exe 97 PID 4632 wrote to memory of 3996 4632 Jbhmdbnp.exe 98 PID 4632 wrote to memory of 3996 4632 Jbhmdbnp.exe 98 PID 4632 wrote to memory of 3996 4632 Jbhmdbnp.exe 98 PID 3996 wrote to memory of 3016 3996 Jaimbj32.exe 100 PID 3996 wrote to memory of 3016 3996 Jaimbj32.exe 100 PID 3996 wrote to memory of 3016 3996 Jaimbj32.exe 100 PID 3016 wrote to memory of 2924 3016 Jbkjjblm.exe 101 PID 3016 wrote to memory of 2924 3016 Jbkjjblm.exe 101 PID 3016 wrote to memory of 2924 3016 Jbkjjblm.exe 101 PID 2924 wrote to memory of 1672 2924 Jjbako32.exe 102 PID 2924 wrote to memory of 1672 2924 Jjbako32.exe 102 PID 2924 wrote to memory of 1672 2924 Jjbako32.exe 102 PID 1672 wrote to memory of 632 1672 Jaljgidl.exe 104 PID 1672 wrote to memory of 632 1672 Jaljgidl.exe 104 PID 1672 wrote to memory of 632 1672 Jaljgidl.exe 104 PID 632 wrote to memory of 5064 632 Jfhbppbc.exe 105 PID 632 wrote to memory of 5064 632 Jfhbppbc.exe 105 PID 632 wrote to memory of 5064 632 Jfhbppbc.exe 105 PID 5064 wrote to memory of 3052 5064 Jangmibi.exe 106 PID 5064 wrote to memory of 3052 5064 Jangmibi.exe 106 PID 5064 wrote to memory of 3052 5064 Jangmibi.exe 106 PID 3052 wrote to memory of 4980 3052 Jbocea32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0fff010a04942a3cabfa35744cc5d70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a0fff010a04942a3cabfa35744cc5d70_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe24⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4720 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe27⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe29⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe30⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe31⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe33⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe35⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe36⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe37⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe38⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe39⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe41⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe42⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe43⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe46⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe48⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe49⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe51⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe52⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe55⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe57⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe58⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe59⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe60⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe61⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe62⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe63⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe65⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe66⤵PID:3836
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe67⤵PID:2480
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe68⤵PID:3280
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe69⤵PID:4728
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe70⤵PID:796
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe71⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4848 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe73⤵PID:4416
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe74⤵PID:1700
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe75⤵PID:2120
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe76⤵PID:3972
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe77⤵PID:392
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe78⤵
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe79⤵PID:1280
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe80⤵PID:4956
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe81⤵PID:2392
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe82⤵PID:4684
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe83⤵PID:1592
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe85⤵PID:5180
-
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe86⤵PID:5228
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe87⤵PID:5284
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe88⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe90⤵
- Drops file in System32 directory
PID:5448 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe91⤵PID:5488
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe92⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe93⤵PID:5580
-
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe94⤵PID:5628
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe95⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe96⤵PID:5716
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe98⤵PID:5800
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe99⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe100⤵PID:5888
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe101⤵PID:5936
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe102⤵PID:5980
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe103⤵PID:6024
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe104⤵PID:6068
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe105⤵PID:6112
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe106⤵PID:2728
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe107⤵PID:5208
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe108⤵PID:748
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe109⤵PID:5412
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe111⤵PID:5532
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe112⤵PID:5604
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe113⤵PID:5660
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe114⤵PID:5724
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe115⤵PID:5792
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe116⤵PID:4124
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe117⤵PID:5916
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe118⤵
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe119⤵PID:6016
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe120⤵PID:6064
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe121⤵PID:3076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-